The Committee of Sponsoring Organizations returns to its fraud roots after 30 years

February 2017 | SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION

Financier Worldwide Magazine

February 2017 Issue

The Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework (originally published in 1992) has done more to improve organisational accountability than anything since Luca Pacioli invented double-entry bookkeeping in the early 1500s.

In 2013, COSO updated its Internal Control – Integrated Framework. As a result, there is a renewed focus on deterring, preventing and detecting fraud by organisations around the globe.

The Treadway Commission issued its groundbreaking report – Report of the National Commission on Fraudulent Financial Reporting – in October 1987 following a two year study. The Commission was chaired by James C. Treadway, Jr., a former Commissioner of the Securities and Exchange Commission (SEC), and sponsored and funded by the American Institute of Certified Public Accountants (AICPA), the American Accounting Association (AAA), the Financial Executives Institute (FEI), the Institute of Internal Auditors (IIA) and the National Association of Accountants (now the Institute of Management Accountants (IMA)).

The Treadway Commission’s focus was on fraudulent financial reporting, as opposed to “unintentional errors” and “other corporate improprieties, such as employee embezzlements, violations of environmental or product safety regulations, and tax fraud, which do not necessarily cause the financial statements to be materially inaccurate”. This narrower focus was, in fact, justified, because, with very few exceptions (such as the 1995 collapse of the more than 200 year-old Barings Bank, caused by a mid-level derivatives trader named Nick Leeson) catastrophic frauds (frauds resulting in massive stakeholder losses and the demise of the organisation) in the 20th century resulted from fraudulent financial reporting rather than “other corporate improprieties”.

The Treadway Commission made 49 recommendations. These were grouped into four major categories. First were several recommendations for the public company (the tone at the top, internal accounting and audit functions, the audit committee, management and audit committee reports, the practice of seeking second opinions from independent public accountants and quarterly reporting). Next were recommendations for independent public accountants (fraud detection responsibilities, audit quality, communications and changing the process of setting audit standards). The Commission also made recommendations for the SEC and others to improve the regulatory environment (better sanctions and greater criminal prosecution, improved regulation of the public accounting profession, SEC resources, improved regulation of financial institutions, better oversight by state boards of accountancy and insurance and liability crises). The final group of recommendations was related to education (business and accounting curricula, professional certification examinations, continuing professional education, and five-year accounting programmes and corporate initiatives).

Most of the Commission’s recommendations have been implemented, although some were not addressed in earnest until after the unfortunate spate of major financial statement fraud cases in 2000 to 2002.

With the issuance of its report in October 1987, the Treadway Commission disbanded. COSO itself, however, carried on, and in 1992 published Internal Control – Integrated Framework (1992 Framework). The 1992 Framework’s focus was on the first set of Treadway recommendations related to tone at the top and better controls over accounting and financial reporting. The 1992 Framework fairly quickly became the globally recognised set of best practices for internal control. Every publicly traded company in the US and most other organisations around the world have embraced and adopted these COSO best practices.

Whether intentional or not, the emphasis of the 1992 Framework generally became accuracy in accounting and financial reporting, rather than fraud in accounting and financial reporting, per se. (The word ‘fraud’ appears just a few times in the several-hundred-page document.) In 2013 the COSO revamped and updated the Internal Control – Integrated Framework (2013 Framework), adding 17 principles to COSO’s five components of internal control. Principle 8 caught at least some COSO users by surprise – the organisation considers the potential for fraud in assessing risks to the achievement of objectives.

Some COSO users had already addressed fraud risk when designing internal controls. Many organisations, however, put basic controls in place without considering in very much detail how those controls could be intentionally circumvented. This new, explicit requirement pertaining to fraud created a demand for more guidance on how to proactively manage fraud risk. In response, COSO and the Association of Certified Fraud Examiners (ACFE) established a task force in 2015 to develop more detailed fraud risk management guidance. The task force used an earlier AICPA, IIA, and ACFE publication – Managing the Business Risk of Fraud, A Practical Guide – as its starting point. In September 2016, COSO and ACFE published the results of the task force’s efforts: the Fraud Risk Management Guide (FRMG).

The FRMG contains five principles, numerous appendices and links to practical fraud risk management tools. Principle one pertains to the control environment and governance: the organisation establishes and communicates a fraud risk management programme that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. Appendices include sample materials that can be used to implement this baseline governance principle.

Principle two deals with the actual assessment of fraud risk: the organisation performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities and implement actions to mitigate residual fraud risks. The chapter on principle two explains how the comprehensive fraud risk assessment is carried out and documented.

Principle three focuses directly on how to design and implement fraud control activities: the organisation selects, develops and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. Heavy emphasis is placed on using data analytics to prevent or quickly detect fraudulent transactions and activities.

Principle four addresses information and communication: the organisation establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner. Two key components of fraud risk management involve, firstly, establishing a robust system enabling and encouraging suspicions about fraud to be reported and secondly, being ready to carry out a rigorous investigation of suspected fraud.

The final principle involves monitoring the entire fraud risk management process: the organisation selects, develops and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning, and communicates fraud risk management programme deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

The five fraud risk management principles align with and can be mapped to the 2013 Framework’s five internal control components (control environment, risk assessment, control activities, information and communication and monitoring) and 17 principles. COSO users will find the structure and terminology used in the FRMG very familiar.

For those not sure that they need to address fraud risk management beyond what they already have as part of their existing internal control structure, there is an easy way to find out. The FRMG contains five ‘scorecards’. These scorecards list all of the attributes needed to fully address each principle. These can be used to self-assess how well an organisation’s current processes and procedures address fraud risk. Each attribute can be assessed as red (we have not considered this), yellow (we address this in part, but more can be done), or green (we have fully implemented this attribute). It does not take very long for organisations to conduct this self-assessment. If there is a lot of red on the scorecards, the organisation is vulnerable to fraud.

Arguably the COSO’s renewed focus on fraud risk management is long overdue. The 1992 Framework was a tremendous advancement in organisational accountability. The 2013 Framework brings COSO back to its fraud-focused roots. The 2016 FRMG provides the guidance needed to enable organisations to make themselves as fraud-proof as possible.

David L. Cotton is the chairman of Cotton & Company LLP. He can be contacted on +1 (703) 836 6701 or by email: dcotton@cottoncpa.com.